Date: Sunday, July 25, 2021 @ 01:24:07 Author: archange Revision: 984931
Harden systemd service a bit more Modified: couchdb/trunk/PKGBUILD couchdb/trunk/couchdb.service -----------------+ PKGBUILD | 14 +++++++------- couchdb.service | 23 +++++++++++++++++------ 2 files changed, 24 insertions(+), 13 deletions(-) Modified: PKGBUILD =================================================================== --- PKGBUILD 2021-07-25 01:20:20 UTC (rev 984930) +++ PKGBUILD 2021-07-25 01:24:07 UTC (rev 984931) @@ -5,7 +5,7 @@ pkgname=couchdb pkgver=3.1.1 -pkgrel=3 +pkgrel=2 pkgdesc="Document-oriented database that can be queried and indexed in a MapReduce fashion using JSON" arch=(x86_64) url="https://couchdb.apache.org" @@ -19,12 +19,12 @@ couchdb.sysusers couchdb.tmpfiles datadirs.ini) -sha256sums=(8ffe766bba2ba39a7b49689a0732afacf69caffdf8e2d95447e82fb173c78ca3 - SKIP - 293fe7ce16de6feb5927bf151360c7441f427f1d6bec73bc9ecb1e530be2b93a - 3ed1ad2a37a068ce194b03fb72eb35285d60fa7faf2d2c2bb710703d229108a8 - 0ce806cbc5e18e60b17be9fd2cdbd4c7f12cc84ca95b079efdede16ddb5f3efd - 937ca3498aab47b3f2226d027fa8a1a95de55cbb463373099e28cb9a6c7046ac) +sha256sums=('8ffe766bba2ba39a7b49689a0732afacf69caffdf8e2d95447e82fb173c78ca3' + 'SKIP' + '38f3e489c031b8c6eacd8b9da3ca91362d7929e8f5e3c8b0e4cf5401c67bf7bb' + '3ed1ad2a37a068ce194b03fb72eb35285d60fa7faf2d2c2bb710703d229108a8' + '0ce806cbc5e18e60b17be9fd2cdbd4c7f12cc84ca95b079efdede16ddb5f3efd' + '937ca3498aab47b3f2226d027fa8a1a95de55cbb463373099e28cb9a6c7046ac') validpgpkeys=(2EC788AE3F239FA13E82D215CDE711289384AE37 # Joan Touzet (CODE SIGNING KEY) <woh...@apache.org> D2B17F9DA23C0A10991AF2E3D9EE01E47852AEE4) # Jan Lehnardt <j...@apache.org> Modified: couchdb.service =================================================================== --- couchdb.service 2021-07-25 01:20:20 UTC (rev 984930) +++ couchdb.service 2021-07-25 01:24:07 UTC (rev 984931) @@ -9,23 +9,34 @@ StateDirectory=couchdb Environment="ERL_FLAGS=-couch_ini /usr/lib/couchdb/etc/default.ini /usr/lib/couchdb/etc/datadirs.ini /etc/couchdb/local.ini" ExecStart=/usr/lib/couchdb/bin/couchdb +ReadWritePaths=/etc/couchdb/local.ini Restart=always RestartSec=2s +AmbientCapabilities= CapabilityBoundingSet= +LockPersonality=true +# Not compatible with the use of JS +#MemoryDenyWriteExecute=true NoNewPrivileges=True -PrivateUsers=true PrivateDevices=true PrivateTmp=true +PrivateUsers=true +ProtectClock=true +ProtectControlGroups=yes ProtectHome=true +ProtectHostname=true +ProtectKernelLogs=true +ProtectKernelModules=yes +ProtectKernelTunables=true +ProtectProc=invisible ProtectSystem=strict -ProtectControlGroups=yes -ProtectKernelTunables=true -ProtectKernelModules=yes -ReadWritePaths=/etc/couchdb/local.ini -LockPersonality=true +RestrictAddressFamilies=AF_INET AF_INET6 AF_NETLINK AF_UNIX +RestrictNamespaces=true RestrictRealtime=true +RestrictSUIDSGID=true SystemCallArchitectures=native SystemCallFilter=@system-service +SystemCallErrorNumber=EPERM [Install] WantedBy=multi-user.target